<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Feb 20, 2021 at 5:20 PM redbaronbrowser via CentOS-devel <<a href="mailto:centos-devel@centos.org">centos-devel@centos.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Friday, February 19, 2021 5:47 PM, Josh Boyer <<a href="mailto:jwboyer@redhat.com" target="_blank">jwboyer@redhat.com</a>> wrote:<br>
<br>
> On Fri, Feb 19, 2021 at 5:47 PM redbaronbrowser<br>
> <a href="mailto:redbaronbrowser@protonmail.com" target="_blank">redbaronbrowser@protonmail.com</a> wrote:<br>
><br>
> > I'm not asking for anything ahead of RHEL customers getting it. All I am asking for is pre-approval from management to get access as an Upstream once a problem with RHEL is confirmed.<br>
><br>
> If you mean "get access to the fixed code" or "get access to a fixed<br>
> build", in a situation like the post-Boot Hole scenario there is no<br>
> pre-approval necessary. We will do our best to resolve the issue in<br>
> Stream as quickly as possible.<br>
<br>
You keep coming back to the Fix for the Broken-Fix. I believe you when you say Red Hat has always been working as quickly as possible to Fix any Broken-Fixes. However, once they have the fix the lifecycle of the bug is over. Stream isn't interesting from the perspective of completed bug lifecycles. The interesting aspect to closing the openness gap is the mid-lifecycle of the bug.<br>
<br>
I am trying to focus on how quickly will Stream users be able to contribute to the fixing of a Broken-Fix.<br>
<br>
I am sorry if I am parsing too much into Mike's response, but it read to me like it is possible for the code to a Broken-Fix to, by policy, be withheld to only the "entitled" RHEL subscribers to access.<br>
<br></blockquote><div><br></div><div>You were.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I'm asking to what degree Red Hat expects to be able to take advantage us while an active Bugzilla entry exist because a CVE "fix" had unintended side-effects. Can we get quick transparency into accessing broken packages and code even if that broken build is a CVE "fix" related?<br>
<br>
Or is the policy that we will sit on the sidelines for Red Hat by itself to fix broken security patches much like CentOS has always operated before Stream?<br><br></blockquote><div><br></div><div>The policy is CVEs go out via RHEL first, just like it was with CentOS. When you see behavior that is counter to that policy, the policy was broken (this is a Red Hat policy, not a CentOS Stream policy).</div><div><br></div><div> -Mike </div></div></div>